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INFORMATION SYSTEMS AUDITS 


Information Systems (IS) audits conducted by the Legislative 
Audit Division are designed to assess controls in an IS 
environment. IS controls assure the accuracy, reliability, and 
integrity of the information processed. From the audit work, 
a determination is made as to whether controls exist and are 
operating as designed. We conducted this IS audit in accordance 
with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for 
our findings and conclusions based on our audit objectives. The 
evidence obtained provides a reasonable basis for our finding 
and conclusions based on our audit objectives. Members of the 
IS audit staff hold degrees in disciplines appropriate to the audit 
process. 


IS audits are performed as stand-alone audits of IS controls or 
in conjunction with financial-compliance and/or performance 
audits conducted by the office. These audits are done under the 
oversight of the Legislative Audit Committee, a bicameral and 
bipartisan standing committee of the Montana Legislature. 
The committee consists of six members of the Senate and six 
members of the House of Representatives. 
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‘The Legislative Audit Committee 
of the Montana State Legislature: 


It is our pleasure to present our audit of Montana State Lottery security. Montana law 
requires the Legislative Audit Division to perform a comprehensive security audit of the 
Montana Lottery every two years. For the current audit, we assessed security controls 
within the 18 security areas defined by statute, including Lottery's computer systems, 
scratch and online tickets, sports wagering, and Lottery personnel and sales agents. 


This report contains two recommendations for strengthening Lottery’s risk 
management practices. A written response from the Montana Lottery is included at the 


end of the report. 


We thank the Montana State Lottery personnel for their cooperation and assistance 
during the audit. 


Respectfully submitted, 
/s/ Angus Maciver 


Angus Maciver 
Legislative Auditor 


Room 160 ¢ State Capitol Building * PO Box 201705 * Helena, MT * 59620-1705 
Phone (406) 444-3122 * FAX (406) 444-9784 ¢ E-mail lad@legmt.gov 
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BACKGROUND 

The Montana State Lottery 
(Lottery) began in 1987 and 
has contributed significant 
funds to various state 
programs, the general fund, 
and the STEM scholarship 
fund. In fiscal year 2022, 
Lottery sales from online and 
scratch ticket games and sports 
betting totaled $116 million. 
This is a $4 million increase 
from the previous year’s fiscal 
year sales. Driving this increase 
are record-breaking jackpots in 
Powerball and the continued 
popularity of Sports Bet 
Montana. 


Online and scratch ticket 
games are managed by Lottery, 


and the systems and gaming 


services are provided to 
Lottery by contractors. Lottery 
uses one main contractor to 
provide most gaming services, 
including online gaming and 
sports betting. A separate 
contractor provides scratch 
tickets to Lottery. Lottery’s 
service contract with the 

main contractor expires in 


March 2026. 
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MONTANA LEGISLATIVE AupiT DIVISION 


INFORMATION SYSTEMS AUDIT 


Lottery Security 
MonTANA STATE LOTTERY AND THE DEPARTMENT OF ADMINISTRATION 


A report to the Montana Legislature 


Lottery continues to progress toward enforcing third- 
party accountability and transparency while adjusting 
its continuity planning procedures to meet State 
requirements. However, Lottery’s risk assessment 
procedures and risk culture need further improvement. 
Strong risk identification and state policy compliance 
will better prepare Lottery for the risks associated 
with upcoming changes. The process of soliciting and 
procuring a new contractor is a substantial task that 
Lottery is already starting. Lottery must consider 
multiple risks and adhere to state procurement policy 
in a structured way to mitigate potential problems. 


Ability to Control Risk 


High Low 
Significant ritical but Controlled Highest Priority fi 
— 
© 
@ Moderate 1 
£ 
Minimal Moderate Priority 


‘The figure above summarizes the nature and extent of the audit findings. 
Findings are categorized by priority that is based on impact and whether 
the agency has effective controls to mitigate the risk associated with the 
findings. Impact is the effect a risk could have on an agency’s system, 
security, business process, or operation. Each priority category contains 
the number of relevant findings in this report. 


RECOMMENDATIONS: 

In this report, we issued the following recommendations: 
To the agency: 2 

To the legislature: 0 


(continued on back) 


For the full report or more 
information, contact the 
Legislative Audit Division. 


leg.mt.gov/lad 


Room 160, State Capitol 
PO Box 201705 

Helena, MT 59620-1705 
(406) 444-3122 


The mission of the 
Legislative Audit Division 

is to increase public trust 

in state government by 
reporting timely and accurate 
information about agency 
operations, technology, and 
finances to the Legislature 
and the citizens of Montana. 


To report fraud, waste, or 
abuse: 


Online 


www. Montanafraud.gov 


Email 
LADHotline@legmt.gov 


Call 

(Statewide) 

(800) 222-4446 or 
(Helena) 

(406) 444-4446 


Text 
(704) 430-3930 


RECOMMENDATIONS: 

High Priority 

RECOMMENDATION #1 (page 9): 

Governance, risk assessment, and planning 

Lottery must obtain the education necessary to implement a risk 
assessment process and appropriately establish the role of audit in 
their risk management strategy. 


Lottery response: Concur 


Highest Priority 

RECOMMENDATION #2 (page 11): 

Governance, risk assessment, and planning 

Lottery must establish appropriate methods for risk assessment that 
align with state risk management requirements and considers state 
policy as part of the assessment process. 


Lottery response: Concur 


Chapter | - Introduction, Scope, and Objectives 


Introduction 


The Montana State Lottery (Lottery) was created in 1987 and has contributed significant funds 

to various state programs, the General Fund, and the STEM Scholarship program. The governor 
appoints five members to the commission to oversee Lottery operations, set policy, and determine game 
offerings. The governor also appoints a Lottery director. 


Lottery is allocated to the Department of Administration (DOA). While DOA manages Lottery’s 
budgeting and reporting and represents Lottery in communications with the governor, Lottery manages 
other required agency activities such as hiring and maintaining staff. 


The Lottery offers various online games and scratch tickets, such as Powerball, Montana Millionaire, 
Treasure Play, and Sports Betting. Lottery selects and manages these games, with gaming services, 
software, and hardware provided by various contractors. However, Lottery uses one primary contractor, 
Intralot, to provide most services. Intralot has various locations across the United States but has 
dedicated staff assigned to Montana Lottery within Helena. The contractor systems support main 
lottery operations, including random number generators, independent verification of lottery operations, 
and the Sports Bet Montana system. A separate contractor, Scientific Games, supplies scratch tickets to 
Lottery. 


Audit Scope and Objectives 


‘The Legislative Audit Division is required by §23-7-411, MCA, to review 18 areas as part of a security 
audit every two years. 


During planning, we assess the 18 areas for risks and existing safeguards. Our assessment includes: 
¢ Evaluating risks specific to Lottery in each of the 18 areas, 
¢ — Identifying what controls currently exist to mitigate those risks, and 


¢ — Determining the level of impact and likelihood the risk has to Lottery operations with the 
identified controls already in place. 


Table 1 (see page 2) includes the summary of assessment work for each review area within statute. As 
part of our assessment, we assign a rating to denote if significant, moderate, or minimal potential risk 
still exists after known controls are assessed. 
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Table 1 
Audit Risk Assessment Results for the 2023 Lottery Security 
Required Statute Area Rating 
High Medium Low 


Personnel security v 
Lottery sales agent security v 
Lottery contractor security v 


Security of manufacturing operations of state lottery contractors v 


Security against ticket, chance, wager, or bet counterfeiting and 
alteration and other means of fraudulently winning 


Lottery premises and warehouse security 


Security involving validation and payment procedures 

Security involving unclaimed prizes 

Security aspects applicable to each particular lottery game and 
sports wager 

Security of drawings in games whenever winners are determined 
by drawings 


The completeness of security against locating winners in state 
lottery games with preprinted winners by persons involved in 
their production, storage, distribution, administration, or sales 


Any other aspects of security applicable to any particular lottery 
game or sports wager and to the state lottery and its operations 


Source: Compiled by the Legislative Audit Division. 


During risk assessment, we consider additional areas of risk that are not explicitly stated in statute. 
We identified technology and third-party reliance risks due to the system’s complexity that enables 
Lottery’s offerings and the contractor’s role in managing that system. These risks directly contribute to 
the Lottery contractor security and systems security identified in the table above. 


The common risk factors among all high-risk areas were culture, risk management capabilities, and 
compliance with external requirements. Our understanding of the controls associated with contractor 
and systems security allowed us to focus on these risk factors. The following objective was developed 
for the audit: 


¢ Determine if Lottery’s risk management process is capable of identifying potential data, 
third-party service, and compliance risks that could impact Lottery operations. 


Our audit focused on Lottery’s risk management program. The scope of this audit includes: 


¢ — Lottery’s practices for risk assessment, response, and monitoring; and the alignment of these 
practices with State requirements for a risk management program. 


¢ The information Lottery collects and maintains for risk assessment, response, and monitoring. 


What We Did 


IT audit methodologies focus on reviewing process components and activities to identify how capable 
they are of controlling risks. Risks to the agency are identified in planning with fieldwork structured to 
review the processes to control or mitigate risk thoroughly. Fieldwork methodologies include: 


¢ Identifying the individuals responsible and accountable for processes. 


¢ Documenting a thorough understanding of control processes through interviews, 
observations, and document reviews. 


¢ — Reviewing any work products (reports, documents, decisions) or information sources related 
to reviewed processes. 


¢ Identifying metrics used internally for determining effectiveness. 


¢ — Assessing how the culture and behavior of staff involved in the control process influence risk 
management effectiveness. 


As part of the audit, we determined how capable each control process is at meeting its intended goal 
and reducing risk to the agency. The following table summarizes the control areas reviewed during this 
audit and our overall determination. The control processes reviewed for each control area are discussed 
in greater detail in subsequent chapters: 


Table 2 
Lottery Risk Management Control Areas 
Control Process Determination 
Collect Risk Data 
Analyze Risk 
Maintain a Risk Profile 
Articulate Risk 
Define a Risk Management Action Portfolio 
Respond to Risk 


Process Capability 


Activities are organized and the process is well-defined 
Basic activities are performed and are complete 

Some activity occurs, yet not organized or incomplete 
Incomplete or incapable process 


Source: Compiled by the Legislative Audit Division. 
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Criteria Used 


State law outlines the responsibilities of all agencies to develop and manage security programs and IT 
resources in an organized, deliberative, and cost-effective manner. IT governance and management 
practices are necessary to implement these requirements successfully. Therefore, both industry best 
practices and state requirements were used as criteria for this audit: 


¢ The State Information Security Policy (and appendices) implements sections of Montana 
Code Annotated (MCA) that apply to information security. This policy defines the roles and 
responsibilities, technical controls, and IT standards adopted by the State. 


¢ The State standards align with the National Institute of Standards and Technology (NIST) 
standards—including content requirements for an agency risk management program—which 
also served as criteria during this audit 


¢ The Control Objectives for Information and Related Technology (COBIT) framework 
guides common IT management and governance practices to reduce technical issues and 
business risks. While Lottery is not required to use this standard, the practices identified 
incorporate industry best practices that support and align with NIST and State security 
requirements. COBIT was used to evaluate Lottery’s Risk Management practices. 


Prior Audit Work 


The Lottery Security (2ODP-01) report was issued to the Legislative Audit Committee in 

October 2021. The audit included five recommendations to the Montana State Lottery (Lottery) that 
focused on defining and managing third-party security requirements, aligning sports betting system 
functionality with legal requirements, and managing continuity planning. As part of this security audit 
(23DP-02), we conducted follow-up work to assess the implementation of the report recommendations. 
Table 3 (see page 5) summarizes the progress toward implementation of the report recommendations: 


Prior Audit 
Recommendation 


Table 3 
Prior Audit Recommendations 


Summary of Recommendation 


We recommend that Montana State Lottery: 


A. Clearly define necessary security requirements 
and tools to enforce them in a Security Exhibit or 
Addendum within the current contract. 


B. Actively manage the security requirements. 


Status of Prior Audit Recommendation 


Being Implemented 

Lottery has compiled enforceable third-party technical 
security requirements into a single reference document, 
however, has not defined the tools or methods to measure 
vendor compliance with these requirements. 


We recommend Montana State Lottery improve 
cyber supply chain risk management by: 


A. Reviewing the role and activity of each 
contractor and subcontractor, 


B. Identifying appropriate assurances, and 


C. Strengthening contractual agreements to 
require appropriate, ongoing assurance. 


Being Implemented 

Lottery now manages a list of assurances from various 
subcontractors that support the primary vendor. Lottery 
has not yet determined whether these assurances are 
appropriate or meet Lottery security requirements. 


Lottery indicated that expectations for third-party 
assurances and the means to enforce them will be clearly 
outlined in the upcoming solicitation process, expected 

in March 2025. Defining and receiving current and 
appropriate assurances will help Lottery better assess 
business risk associated with third-parties. 


We recommend Montana State Lottery: 

A. Ensure changes are made that align the 
system functionality with legal requirements of 
sports betting account management. 

B. Improve system testing procedures by 
identifying when a formal testing plan is needed 
and verify legal requirements are met by new 
functionality. 


Implemented 

Inconsistencies between the sports betting terms and 
conditions and statute and rule have been corrected. 
Individuals that wish to self-exclude from sports betting 
still must create an account so their identity can be 
properly verified. While this implementation does not align 
with rule, it does align with the intent of the rule. 


Lottery conducts user acceptance testing when there are 
significant changes to sports betting software to ensure 
invalid players are not capable of creating sports betting 
accounts. 


We recommend Montana State Lottery create 
policy and procedure for managing, reviewing, 
and updating their continuity plan that ensures 
complete and useful information is present, 
including: 

A. Administrative details and contact information 
for all continuity personnel and third parties, 

B. Clear definitions of essential functions and the 
strategy to restore each essential function, and 
C. Documentation of critical information systems 
and assets required to restore each essential 
functions, including how the information systems 
and assets are backed-up, procured, or stored. 


Being Implemented 

Lottery has incorporated the missing details into its 
Business Continuity Plan (BCP) but has not created policy 
and procedure to govern the management of the BCP. 


Lottery intends to complete all aspects of the BCP in the 
newly created Montana Disaster and Emergency Services 
(DES) system and develop internal policy and procedure 
when DES guidance becomes available. DES completed 
the implementation of the continuity planning software in 
June 2023 and agency guidance is being developed now. 


We recommend Montana State Lottery develop 
and implement a training and testing program in 
conjunction with their continuity plan such that: 
A. Personnel are formally informed of and trained 
on any roles and responsibilities they may have in 
executing the continuity plan. 

B. Testing of the continuity plan be performed 

so that restoration of essential functions can be 
demonstrated. 

C. The continuity plan is updated to address any 
deficiencies identified during testing program. 


Being Implemented 

Lottery has discussed the roles and responsibilities with 
relevant personnel and performed training and testing 
exercises of the revised BCP with these continuity 
personnel. However, Lottery did not document the 
scope of the training, methods of review, or outcomes of 
the testing — information that should be collected and 
considered as part of risk management. Lottery indicated 
they would compile this information in future testing 
exercises as the DES guidance on BCP management is 
formalized. 


Source: Compiled by the Legislative Audit Division. 


Chapter II — Lottery Risk Management: 
Culture & Activities 


Lottery Risk Culture 


Risk culture is the general awareness, attitudes, and behaviors of an agency’s employees toward risk 
and how risk is managed. It is a key indicator of how widely an agency’s risk management policies 
and practices have been adopted and drives the behaviors influencing the day-to-day risk management 
practices. Lottery’s risk management behaviors are reactive and affect overall risk management. 


‘The following table summarizes our review of desirable behaviors that contribute to a proactive and 
positive risk culture: 


Table 4 
Lottery Risk Management Cultural Elements 
Culture, Ethics, and Behavior Component Determination 


Transparent and Particpatory Risk Culture 
Support for incorporation of risk practices Pass 


Open Communication Pass 
Aligning policies to defined risk appetite Finding 
Reporting risk activity to Lottery Director and Commission Pass 
Proactively monitoring risk and progress Finding 


Source: Compiled by the Legislative Audit Division. 


Significant Findings 


Lottery exhibits a reactive risk culture that impacts its risk assessment capabilities. Factors that 
contribute to this culture include: 


¢ — Lottery’s risk management program does not define a risk appetite. Risk appetite defines the 
amount of risk an agency is willing to accept in pursuit of its objectives, identifies which risks 
require a response, and guides risk management policies and practices. 


¢ — Risk monitoring practices only consider known and obvious risks. While this practice 
measures and ensures the effectiveness of existing security controls, it does not monitor for 
threats associated with potential risks that could impact Lottery. 


¢ — Lottery’s risk management program identifies Legislative Audit as a source of risk 
identification and control monitoring rather than an independent means to verify security 
controls. 


Impact 


Risk assessment aims to identify potential risks, security issues, and instances of noncompliance with 
applicable laws, policies, and regulations. Proactive risk management relies entirely on risk identification 
so that an agency can appropriately address risk before it impacts the agency. Without a defined risk 
appetite, Lottery’s risk assessment efforts are not scoped to asses and identify potential risks effectively. 


Tn 230-02 | 
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This impacts Lottery’s ability to monitor for potential risk indicators as Lottery proactively cannot 
monitor for unknown or unidentified risks. 


Lottery’s risk management program inappropriately identifies Legislative Audit as a source of risk 
identification and control monitoring. The recurring security audit performed by Legislative Audit 
regularly identifies instances of Lottery not meeting state policy requirements. Lottery appreciates that 
these audits offer opportunities for improvement. Still, this relationship has established a reliance on 
audits to identify problems that should be more appropriately identified by effective risk assessment. 


Identifying risks internally would allow Lottery to address them on their own schedule. Instead, 
Lottery must first wait for audit findings to identify risks and then address them in a limited time 
frame before audit follow-up. This behavior—reliance on audit and subsequent response to the audit 
recommendations—treinforces a reactive risk culture and forces Lottery to prioritize recommendations 
that could impact revenue over recommendations that would improve Lottery’s overall security 
posture. 


Improvement Opportunity 


Lottery exhibits most of the cultural elements that positively influence risk management behaviors and 
practices. For example: 


¢ Management values and ethics align with Lottery’s mission. 
¢ Lottery considers security risks in its operations. 


¢ — Lottery’s risk communications are transparent and Lottery responds positively when its risk 
practices are challenged. 


¢ Most importantly, Lottery understands the value of effective risk management and recognizes 
the need to improve its overall approach to risk management. 


Lottery also demonstrates visible and genuine support for building a proactive risk culture and has 
taken steps toward incorporating and improving risk practices throughout the agency. However, 
Lottery has expressed frustrations with developing a comprehensive risk management program. 
Lottery is a small agency, and developing a risk management program that aligns with state policy 
requirements, standards, and guidelines is an involved and disciplined process. 


Successful security depends on both tactical and strategic activities. Where the tactical activities are 
the “nuts and bolts” or technical procedures for day-to-day security, risk management is the strategic 
component that justifies those tactics and the impact the tactics will have on overall risk. Risk 
management is the ability to view the risk landscape holistically and apply the appropriate mitigation 
tactics at the appropriate time. 


Lottery’s risk management is the responsibility of existing security and IT management. While these 
personnel possess the skills and talent to enforce operational security effectively, improvements can 

be made to evolve their risk management capabilities. Lottery needs to proactively seek the necessary 
risk management education or training or involve the help of others if that is the preferred approach. 
Developing an understanding of what constitutes and how to perform effective risk management is the 
first step toward establishing behaviors for proactive risk culture. This will allow Lottery to improve its 


overall risk management practices, including risk identification and response, and appropriately reframe 
Lottery’s reliance on audit. 


RECOMMENDATION #1 


We recommend the Montana State Lottery seek the education or training necessary 
to implement effective risk management and establish an appropriate role for audit 
within risk management. 


TT 


Lottery Risk Management Activities 


Risk management is the tool to assess and respond to financial, regulatory, strategic, and security risks 
that could impact an agency’s resources and operations. Lottery manages agency-wide risk with an 
internal control review process instead of a formalized risk management program. While this process 
is appropriate for monitoring controls to mitigate known or previously identified risks, the process is 
ineffective for identifying new or potential risks. 


The following table summarizes the review of Lottery’s risk management control processes: 


Table 5 
Lottery Risk Management Control Processes 
Control Process Activity Determination 
Collect Risk Data 
Established Method for collection and classification Finding 
Record risk-related data on operating environment Finding 
Defines risk taxonomy for consistent analysis Finding 


Analyze Risk 
Defined scope of risk analysis efforts Finding 


Established risk scenarios Finding 
Estimate likelihood and impact Pass 
Propose responses to risk Pass 


Maintain a Risk Profile 
Inventory of business processes and resources Finding 
Aggregate and categorize risk scenarios Finding 
Consolidated agency risk profile Finding 
Maintain a risk action plan Finding 


Source: Compiled by the Legislative Audit Division. 
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Significant Findings 


Lottery’s risk management program does not align with State policy requirements. Key practices 
necessary for effective risk assessment, and ultimately, risk identification are missing or incomplete: 


¢ No structured method exists for the collection or maintenance of risk-related data and risk 
factors. 


¢ — Risk analysis is not appropriately scoped and relies on incomplete methods and institutional 
knowledge. 


¢ An actionable agency risk profile is not maintained to facilitate risk-based decision-making 
and track risk response progress. 


¢ — State policy is not considered during data collection or risk analysis to identify or measure 
compliance risks. 


Impact 


‘The purpose of risk assessment is ultimately to identify risks to an agency. Risk identification is 

the biggest challenge within risk management. It is a continuous and speculative process that relies 
entirely on the quality of the risk information collected before analysis. Effective risk assessment and 
identification consists of three activities that build upon one another: 


¢ Data collection creates the foundation of risk assessment. It defines the scope of an agency’s 
internal and external environment that considers business processes, resources, policy 
requirements, risk factors, and establishes a common vocabulary for communicating risk and 
estimating the frequency and harm associated with risk. Lottery does not have a structured 
approach to collect and maintain risk data, which impacts further risk assessment activities. 


¢ Risk analysis considers the risk information from the data collection activity to identify 
risks to an agency. Without effective risk data collection, Lottery’s risk analysis efforts are not 
scoped to develop a substantiated view of actual risk. 


¢ Arisk profile aggregates the risks identified during analysis and documents all resources, 
capabilities, and control activities associated with the risk. This profile allows risk 
prioritization and yields actionable information for risk-based decision-making and 
communication. Lottery maintains this information for known and already-controlled risks 
but does not consider potential or unknown risks. 


Lottery needs to proactively identify and address operational, reputational, and technical risks, as 
well as the more apparent risk that applies to all agencies—noncompliance with aspects of state 
policy. Lottery does not have a formal process for identifying such risks, so they do not have a 
structured approach to mitigate them. This has led to multiple past audit findings directly related to 
noncompliance with state policy. 


Lottery’s inability to adequately identify compliance risks is immediately relevant as there are large 
changes on Lottery’s horizon—changes that carry inherent risks and must follow state policy and 
procedure during implementation. 


In March 2026, Lottery’s contract with Intralot expires. Intralot is the vendor that supplies the 
infrastructure and services that enable Lottery’s primary business offerings: the sale of lottery tickets 
and sports betting. Given the scope of services provided by this vendor, there are many risks Lottery 
must consider in the solicitation and procurement process: 


¢ ‘The solicitation must consider and account for all relevant third-party risks that ensure 
reliable service delivery and that the contract is in the best interest of the State. 


¢ The State requires a comprehensive risk assessment that documents how Lottery and the 
proposed system will meet the State’s Information Security policy requirements. This task 
requires improvements in Lottery’s current risk assessment process. 


¢ Achange of vendors could also impact how Lottery conducts its day-to-day business. Lottery 
must consider how a new vendor could affect their current business processes or existing 
infrastructure. 


Considering these types of risks and the future changes Lottery faces, Lottery must improve its current 
risk assessment practice to prevent issues during the solicitation and procurement process and during 
the transition to a new vendor and contract. 


Improvement Opportunity 


Risk assessment is the foundation of risk management because it identifies the risks that enable risk 
response and monitoring. Best practices and state policy require that a risk management program 
identify applicable policy requirements during risk assessment and include a method to ensure the 
satisfaction of these requirements. Lottery’s risk assessment process does not adequately consider state 
policy. It is, therefore, unable to identify that its risk management program itself does not meet these 
requirements—including the required methods that enable effective risk assessment. 


In addition to developing a comprehensive risk assessment process that aligns with state policy, 

Lottery needs to consider and measure compliance with state policy requirements as part of its risk 
management program. This will help ensure Lottery’s risk management program can identify potential 
and unknown risks that threaten its goals and objectives. 


RECOMMENDATION #2 


We recommend Lottery establish a risk management program that aligns with state 
policy that includes: 


A. Appropriate risk assessment methods for the collection of risk-related data, 
analysis of this data for risk identification, and maintenance of a risk profile; and 


a 


An inventory of applicable state policy requirements and a method to track and 
ensure satisfaction of these requirements. 
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Mr. Angus Maciver r=) EC cIVe 
Legislative Auditor ee 
Office of the Legislative Auditor oct 27 2023 


State Capital Building 
Helena, MT 59620-1705 


LEGISLATIVE AUDIT DIV. 


RE: Response to the 2023 Montana Lottery Security Audit 
Dear Mr. Maciver: 


The Lottery has received the results of the Montana Lottery Security Audit for 2023 and 
welcomes the chance to respond to the findings. 


The Montana Lottery concurs with the two (2) finding identified and will take the necessary 
action to comply with the recommendations. Lottery staff has already taken action to begin to 
address the identified issues. 


The following is our response and action plan to the specific recommendations of the audit: 


RECOMMENTATION #1 


We recommend the Montana State Lottery seek education or training necessary to implement 
effective risk management and establish an appropriate role for audit within risk 
management. 


The Montana Lottery concurs with this recommendation and is seeking training in risk 
management. Once the training has been obtained the role for audit will be identified and 
implemented. 


RECOMMENTATION #2 


We recommend Lottery establish a risk management program that aligns with state policy 


that includes: 
A, Appropriate risk management methods for the collection of risk-related data, analysis of this 


data for risk identification, and maintenance of a risk profile; and 
B. An inventory of applicable state policy requirements and a method to track and ensure 
satisfaction of these requirements. 
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We concur with this recommendation and will modify our methodology for the collection of 
risk-related data, analysis of this data for risk identification, and maintenance of a risk profile. 
An inventory of applicable state policy requirements will be maintained and tracked to ensure 
compliance. 


The Lottery has already started to respond to these finding and believes we can be fully 
implemented by July 1, 2024. 


Thank you again for the opportunity to respond. As always, your team established a good 
working relationship with our office with the shared end goal of improving the security of the 
Montana Lottery. 


Sincerely, 


StF Sl2—> 


Scott Sales, Director 
Montana Lottery 
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